Google launches Android Enterprise bug bounty program

Google has announced the launch of its first vulnerability rewards program for Android Enterprise with bounties of up to $250,000.

This builds on the introduction of several enhancements with Android 12 to boost the platform’s overall security.

Security enhancements included with the latest Android version range from toggling off USB signaling on enterprise devices to block USB-based attacks to improved password complexity controls that provide extra protection for company data.

“And since we believe scrutiny and transparency are key to improving security, we’ve launched our first Android Enterprise Vulnerability Rewards Program,” said Rajeev Pathak, Senior Product Manager at Google. 

“We’re offering a reward of up to $250,000 for a full exploit on a Pixel device running Android Enterprise.”

Google is working with industry leaders (e.g., Okta, Ping, and Forgerock) to move to Custom Tabs for authentication. The company considers this to be the best way to integrate authentication into Android Enterprise apps. 

The company is also introducing the Android Management API, which would provide the fastest delivery for enterprise features, with Android Enterprise Recommended requirements set by default.

Google bug bounty history

In July, Google launched a new platform to host all its vulnerability rewards programs (VRP) under the same roof.

Google also launched the Bug Hunter University, enabling bug hunters to brush up on their skills or even start a hunting learning streak.

“This new site brings all of our VRPs (Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues,” Google said at the time.

Since Google launched its first VRP over ten years ago, it has rewarded more than 2,000 security researchers from 84 different countries worldwide for reporting over 11,000 bugs.

Google says that the total bounty earned by researchers amounts to $29,357,516 since January 2010, when it launched the Chromium vulnerability reward program.

Rewards paid for qualifying bugs through Google’s VRPs range from $100 to $31,337, but the total amount can also drastically increase for exploit chains.

For instance, Alpha Lab’s Guang Gong received a $201,337 payout for a remote code execution exploit chain that could be used to compromise Pixel 3 devices, this being the biggest single bounty Google ever paid.